- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Directory layout
editDirectory layout
editThe directory layout of an installation is as follows:
Archive installation has a different layout. See zip, tar.gz, or tgz.
Type | Description | Default Location | Config Option |
---|---|---|---|
home |
Home of the Auditbeat installation. |
|
|
bin |
The location for the binary files. |
|
|
config |
The location for configuration files. |
|
|
data |
The location for persistent data files. |
|
|
logs |
The location for the logs created by Auditbeat. |
|
|
You can change these settings by using CLI flags or setting path options in the configuration file.
Default paths
editAuditbeat uses the following default paths unless you explicitly change them.
deb and rpm
editType | Description | Location |
---|---|---|
home |
Home of the Auditbeat installation. |
|
bin |
The location for the binary files. |
|
config |
The location for configuration files. |
|
data |
The location for persistent data files. |
|
logs |
The location for the logs created by Auditbeat. |
|
For the deb and rpm distributions, these paths are set in the init script or in
the systemd unit file. Make sure that you start the Auditbeat service by using
the preferred operating system method (init scripts or systemctl
).
Otherwise the paths might be set incorrectly.
docker
editType | Description | Location |
---|---|---|
home |
Home of the Auditbeat installation. |
|
bin |
The location for the binary files. |
|
config |
The location for configuration files. |
|
data |
The location for persistent data files. |
|
logs |
The location for the logs created by Auditbeat. |
|
zip, tar.gz, or tgz
editType | Description | Location |
---|---|---|
home |
Home of the Auditbeat installation. |
|
bin |
The location for the binary files. |
|
config |
The location for configuration files. |
|
data |
The location for persistent data files. |
|
logs |
The location for the logs created by Auditbeat. |
|
For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Auditbeat with the following simple command, all paths are set correctly:
./auditbeat
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now